You can use Windows or Forms authentication with this
method. However, the code listings included in this article will be using Forms
authentication. The first step is to setup security for the application.
Listing 1 demonstrates how to set up Forms Authentication for
the web site's root directory. In this application everyone can access the
pages in the root directory and the security for sub directories is
accomplished by using a separate Web.config file inside each directory. How to secure
sub directories will be discussed later in this article.
Set the authentication mode equal to Forms. Set the forms
name equal to "MenuAuth." This is the name of the cookie used for
forms authentication. Then under credential, set the password format to SHA1.
Later I will demonstrate how to hash the passwords to store them in the
web.config file. Then for each user you set the user name and hashed password.
And then under authorization, allow all users by using the asterisk (*). This
example stores user names and passwords in the web.config file, but you could
also use a database to store this information. You may want use a database if
you have a lot of user names to store.
To use the code from this article you will need to create a
new web application. Start by copying the code from Listing 1 into your
favorite text editor and save it in the application's root directory. There are
two users in the web.config, user1 and user2. The passwords are the same as the
user names.
Listing 1 - This is the Web.config file in the web
site's root directory
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms name="MenuAuth">
<credentials passwordFormat="SHA1">
<user name="User1"
password="B3DAA77B4C04A9551B8781D03191FE098F325E67"/>
<user name="User2"
password="A1881C06EEC96DB9901C7BBFE41C42A3F08E9CB4"/>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<compilation debug="false"/>
</system.web>
</configuration>
Listing 2 shows the login page for the web site. The web form
has an input for user name and input for password, two validators to make these
required fields, a label for displaying messages to the user, and a login
button. When the user clicks the login button, if both the inputs are filled
in, an attempt is made to authenticate the user name and password. If
authentication is successful, the user is redirected to the page they were
requesting. If authentication fails, the user receives a message that the user
name and password they entered are invalid and they are asked to try again.
Create the Login.aspx in the application's root directory.
Listing 2 - This is the Login.aspx page
<%@ Page Language="C#" MasterPageFile="~/MasterPage.master"
Title="Menu" Theme="Default" %>
<script runat="server">
void Login_Click(Object sender, EventArgs E)
{
if (FormsAuthentication.Authenticate(UserName.Value.Trim(),
UserPass.Value.Trim()))
{
FormsAuthentication.RedirectFromLoginPage(UserName.Value.Trim(), false);
}
else
{
Msg.Text = "Invalid Credentials: Please try again";
}
}
</script>
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1"
Runat="Server">
<h3>Login Page</h3>
<table>
<tr>
<td>User Name:</td>
<td><input id="UserName" type="text" runat=server/></td>
<td><asp:RequiredieldValidator ID="RequiredFieldValidator1"
ControlToValidate="UserName" Display="Static" ErrorMessage="*"
runat=server/></td>
</tr>
<tr>
<td>Password:</td>
<td><input id="UserPass" type=password runat=server/></td>
<td><asp:RequiredFieldValidator ID="RequiredFieldValidator2"
ControlToValidate="UserPass" Display="Static" ErrorMessage="F*"
runat=server/></td>
</tr>
</table>
<asp:button ID="Button1" text="Login" OnClick="Login_Click" runat=server/>
<asp:Label id="Msg" ForeColor="red" Font-Size="10" runat=server />
</asp:Content>
Hash Password
The passwords must be hashed before you can store them in
the web.config file or a database. Listing 3 is a web page that will let you
enter a password; click the hash password button and the hashed version of your
password is displayed in a label. It is then ready to be copied and stored in
the configuration file. The hasing is accomplished by using the
FormsAuthentication HashPasswordForStoringInConfigFile event. One note of
caution you must use the same format in this hashing web page that you have in
the web.config file or the passwords will not authenticate. You can create this
file in the application's root directory, but there would be no need to publish
this to a live web site.
Listing 3 - This is the web page that will allow
you to hash passwords (Hash.aspx)
<%@ Page Language="C#" MasterPageFile="~/MasterPage.master" Title="Hash"
Theme="Default" %>
<script runat="server">
protected void Button1_Click(object sender, EventArgs e)
{
Label1.Text =
FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox1.Text, "sha1");
}
</script>
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1"
Runat="Server">
<asp:TextBox ID="TextBox1" runat="server" Width="200px"></asp:TextBox>
<asp:Button ID="Button1" runat="server" Text="Hash Password"
OnClick="Button1_Click" Width="100px" />
<asp:Label ID="Label1" runat="server"></asp:Label>
</asp:Content>